System Descriptions in GMP Inspections
Recommendation
26-29 November 2024
Klaus Feuerhelm, former GMP inspector at the Regierungspräsidium Tübingen, has created a TOP 3 list of the deficiencies in 2020 with regard to computerised systems. In 2nd place are deficiencies in system descriptions.
What is the regulatory basis?
(EU-GMP Annex 11 - 4.3): For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available.
At first glance, the reference to critical systems narrows down the selection somewhat. Here the problem arises "Which GMP systems are not critical?". It will be difficult to evaluate GMP systems as non-critical, but there are of course systems that are more critical than others. Therefore, this specification should be interpreted to mean that we generally need a system description. One can even go so far that the system description must be a separate document and cannot be integrated elsewhere (e.g., validation plan). This results from the requirement alone that the system description must be kept up to date..
So the first deficiency would be that the system description as such is not available, which is indeed not uncommon.
Further deficiencies then arise from the content, which may not meet the requirements of EU-GMP Annex 11, but is clearly stated there.
The contents of the system description according to Annex 11
- Technical and logical arrangement of the systems
- Data flow
- Interfaces to other systems
- Interfaces to other processes
- All hardware and software requirements
- Security measures
System description in inspections
During inspections, it has been shown time and again that individual items have not been mentioned and described. Not infrequently, a detailed description of the security measures is missing. What would be important?
- Defined responsibilities for system security
- User management including role concept
- Physical and logical security
- Assignment of user rights and responsibilities corresponds to the organizational structure
- Password concepts
- User training (security concepts)
- Encryption
- Virus protection concept
- Others
In this context, it may also be possible to refer to individual SOPs. It may also be helpful to consult other regulations or guidelines that also contain information on the system description. These include the GAMP 5 ® guideline and PIC/S PI 011. However, both guidelines are not up to date in this respect, as they refer to the old Annex 11 (1992 version), although the old Annex 11 and the current Annex 11 (2011 version) do not differ that much:
EU-GMP Annex 11 (old):
"A written detailed description of the system should be produced (including diagrams as appropriate) and kept up to date. It should describe the principles, objectives, security measures and scope of the system and the main features of the way in which the computer is used and how it interacts with other systems and procedures."
EU-GMP Annex 11 -4.4 (current):
"For critical systems an up to date system description detailing the physical and logical arrangements, data flows and interfaces with other systems or processes, any hardware and software pre-requisites, and security measures should be available."
The old version still explicitly mentions the application areas, which is actually a matter of course.
Let's have a look at the note in PIC/S PI 011 for the system description:
PIC/S PI 011
"10.4 The regulated user should be able to provide documentation describing the computer system(s) to include logic flow or block diagrams where practical, also giving an indication of hardware layout, networks and interaction. These basic schematics should align with the functional specification and be traceable to the URS."
In this part the requirement of the old Annex 11 can be deduced. But the last sentence is interesting:
"These basic schematics should align with the functional specification and be traceable to the URS."
Here we get a hint when the system description is to be created, namely immediately after the DQ.
Finally, let us compare the contents of Annex 11 and GAMP 5 ® on system description. It should be noted that the information in GAMP 5® is still based on the old Annex 11.
The last point (electronic records and signatures) is interesting; this does not appear in Annex 11 in this way, which makes perfect sense.